Metasploitable: Gaining Root on a Vulnerable Linux System

Tuesday, May 22, 2012

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

As I mentioned in my previous post, Metasploitable is a purposefully vulnerable Ubuntu 8.04 image that is running several unpatched services.

Metasploitable is a great platform to practice and develop your penetration testing skills. In this tutorial, I will show you how to scan the system, find one of the vulnerable services and then exploit the service to gain root access.

In this tutorial I am using a system running Backtrack 5r2 and the Ubuntu Metasploitable VMWare image.

On your Backtrack system, run the Metasploit console.

(From the GUI menu -Backtrack/Exploitation Tools/Network Exploitation Tools/Metasploit Framework/Msfconsole)

Scan the host

First thing we will do is scan the target (192.168.0.117 in this case) with nmap:

(click image to enlarge)

The -Ss option tells nmap to perform a stealth scan, the -A option tells it to try to discover OS and service version levels. As you can see from the above picture, several services are running on multiple ports. If you notice, you will see this box is running Samba on ports 139 and 445. Samba provides SMB file and print services for Windows clients.

In this tutorial we will focus on the Samba service. Nmap says it is running version 3.x, let’s see if we can get more specific information. Metasploit has some amazing auxiliary modules, one section being the scanner section. Let’s search the scanner section for the SMB Protocol:

(click image to enlarge)

Looks like the scanner section has a SMB version detector. In the picture above, I select and run the SMB detector program. The program responds with the exact version of Samba – 3.0.20.

Doing a online quick search for vulnerabilities for this version of Samba returns “Username Map Script”. If we use the “search samba” command in Metasploit it lists available exploits.

(click image to enlarge)

An exploit exists for “Username Map Script” and it has a rating of excellent, which means it is very solid and reliable exploit.

Exploiting

Now we will use the “Username Map Script” to gain a root level shell on the system:

(click image to enlarge)

In the picture above, we simply chose the exploit to use, configured it with the target address, 192.168.0.117, then told it to run the exploit. The exploit ran the exploit against the system, created a remote session with the target and opens up a command shell. As you can see, I ran the “id” command in the remote shell and it returned:

uid=0(root) gid=0(root)

We do in fact have a remote access root command shell with the target machine.

Conclusion

There you have it, a remote root shell from a vulnerable Linux service. In a real world situation, the attacker would then make moves to recover data from the machine (passwords, documents, etc), and possibly use this machine to penetrate deeper into the target network.

As you can see, if software updates are not done on your system (OS manufacturer does not matter) your system could be at risk of being compromised. And as always, do not try these techniques on a system that you do not have permission to do so.

For a more involved series of tutorials on compromising all the services of Metasploitable (and tons of other great Linux Security info), check out the Metaploitable series done by my friend Dangertux. Dangertux is an amazing Linux/Unix security guru that has probably forgotten more about Linux security than I will ever know.

Cross-posted from Cyber Arms

Possibly Related Articles:
35071
Network->General
Information Security
Patching Penetration Testing Linux Backtrack Metasploit Root Accounts Exploits Pentesting Metasploitable
Post Rating I Like this!
Default-avatar
Patrick Bausemer Hi Dan, great blog post. If anybody is interested in downloading Metasploitable, you can do so here! http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web
1359398190
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.